Stupid passwords are a valid rebellion against technology
It is now axiomatic that most people choose dumb passwords but a recent study on advances in graphics processing suggests that it might have gone well beyond the simple issue of good versus bad logins. According to a widely-publicised...
According to a widely-publicised report from Georgia Tech Research Institute, improvements in graphics card processing grunt threaten to render any random assortment of characters below a 12-character threshold insecure to brute forcing.
That’s a tall order because not only is the world have to deal with the nonchalant way many people choose uselessly trivial passwords, but even complex ones might no longer be good enough. Perhaps the lazy were right to save themselves the trouble after all.
The issue of graphics card power and password cracking isn’t a new worry, and much of what is said about it is still theoretical, but it misses the point on two scores. First, passwords of any length and complexity are insecure if they are cracked in plain text, as they can be recent data theft Trojans such as Zeus, which steals them to break into online banking systems.
We know this happens because we have the stark evidence. It is happening to bank accounts as I write this. This requires software expertise not hardware wizardry.
Would a criminal invest in a graphics card array to break through password screens? Possibly, probably, but right now there are easier ways to achieve the same aim. The password issue could also be made much harder by simply placing more than one screen between a potential thief and a secure system, raising the processing workload by n. That is already happening.
Secondly, the real problem with passwords isn’t simply their complexity but the sheer volume users are now expected to remember and manage.
Remembering one complex ‘secure’ password sounds straightforward enough but remembering 50 or 100 complex passwords and applying each to the correct service or website raises the bar to levels even expert users struggle with.
Most users hate passwords, even despise them. My own theory is the ‘123456’ passwords you hear about are actually a sort of sublimated rebellion against the modern world and its technological demands. People are constantly asked to enter passwords that interrupt the flow of whatever they are trying to achieve, and then badgered to make up new ones.
The answer to this is to make judicious use of a password utility (see the excellent web app LastPass among others, which are a fine answer as long as you at least secure access to them using one long, sophisticated password to start with. The other benefit of such applications is that they can be used to generate complex passwords which the user doesn’t actually have to remember.
The medium-term answer to the password issue isn’t to berate users about their password habits but to offer automated tools to take away the decision making altogether. Indeed this should be mandatory. Such tools can also be used to - and this is an important point - regularly change passwords in an automated way.
This could be supplemented with tokens of some sort although they have a habit of multiplying in ways that make them almost as unmanageable as passwords.
Stop trying to change people. Take passwords away from them and the world will be better for it.
ShareTwitter Facebook Google Plus
The intrusive bill has passed into UK law. Here's how we got here, and what to do next...
The grab and go technology looks impressive, but only if you're willing to have your data harvested by cameras and microphones